Jun 17 2020 12:41 AM
All of a sudden we have started receiving alerts for "Burst of multiple reconnaissance commands could indicate initial activity after compromise [seen multiple times]" for all the subscriptions/tenant id's over Azure. The reported commands are basic linux commands and when the linux team is searching they aren't able to find such huge counts as reported by Azure security center. Is there some new threat intel updated or some changes over the Azure security center is done. If you have any hints as if why we are receiving these alerts, then please reply.
Jun 17 2020 05:30 AM
same here so I'm also interested to know about this alert.
Jun 17 2020 12:31 PM
We've recently seen the same alerts. With limited access to this environment I would be surprised if it was compromised in this manner.
Jun 17 2020 02:01 PM
We are getting same alerts. Have looked at running pods and no custom deployments with priviliged access. We have startet investigation because of potential attack(https://azure.microsoft.com/en-in/blog/leverage-azure-security-center-to-detect-when-compromised-lin...) , but these alerts do not give enough information. I am also interested if there are any new features or alert types in Azure Security Center.
Jun 18 2020 06:47 AM
We started receiving these alerts as well. I believe this could be related to a recent update in the OMS agent, based on FIM observed file changes. Can anyone else confirm if theOMS agent on their Linux VMs involved in these alerts recently updated?
Thanks!
Jun 24 2020 03:02 AM
Yes Ricky, OMS agent is involved in these alerts.
Jul 05 2020 06:52 AM
Hi @ujjawalm ,
Those alerts are result of a known temporal error in our system caused Azure Security Center to trigger alerts that shouldn't be triggered. The issue was mitigated successfully - you shouldn’t get such alerts anymore.
I am very sorry for the inconvenient it caused – please feel free to ignore those alerts.
Thanks,
Tal Rosler,
Product Manager, Azure Security Center.